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year mission. The reliability model was constructed in 
a Lotus 1-2-3 spreadsheet to enable the designers to do 
"what-if" analysis. 
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I. INTRODUCTION 


A. GENERAL BACKGROUND AND PURPOSE 

The Naval Postgraduate school Mini-Satellite 
(subsequently referred to as ORION) is an actual 
engineering effort by the students and faculty of the 
Naval Postgraduate School to produce a low cost, multi- 
purpose satellite. The focus of this thesis, as a 
portion of that effort, is to derive a fault tree for 
ORION and assist in its design by identifying weak 
links in its system reliability. The format of the 
thesis is intended to make the results of this analysis 
readily accessible to colleagues to facilitate the 
design and construction of ORION. 


B. SATELLITE OVERVIEW 

ORION is an alternative concept for low cost 
military spaceflight. abe aS designed to be an 
inexpensive, reliable satellite bus that can be mission 
specific, yet maintain a flexible architecture. “ihe 
mission payloads can vary from 50 lbs. to 130 lbs. and 
are designed for a mission life of three years. Due to 
its simplistic design, ORION includes very little 
redundancy. | 


1. Objectives tor soRron 
ORION is designed with eight objectives in 
mind. They are: 
a. to satisfy many small mission needs with a low 
cost, reconfigurable vehicle. 
b. to provide an affordable, boosted-free flyer to 
complement SPARTAN and Spas! . 


mental 


1SPARTAN and SPAS are_ existing experi 
station as 


Pau used by the Shuttle. They are on 
ong as the Shuttle is on station. 
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cee TOnocileve “cireusdkar Orbits from 135 nm (nautical 
miles) to 800 nm with propellant reserve. 

CUP pemselthevewel iptic = orbitseeto 2200 nm with a 
Pemesece Of 5135 nm. 

Se to have alonger life at Shuttle altitude than 
SPARTAN. 

fee xe to provide an affordable platform for’ space 
science, space technology, and military missions. 

a uempuar TOE ageco@st effective bus for constellation 
proliferation. 

he. to be dependable and affordable. 


2. ORION Main Subsystems 

For purposes of management and design, ORION 
can be separated into seven subsystems. The subsystems 
are: 
the propulsion subsystem. 
the electrical power subsystem. 
the data storage subsystem. 
the Telemetry Subsystem. 
the thermal control subsystem. 


the attitude control subsystem. 


feo. © a0 So 


the computer subsystem. 

The reliability analysis focuses on how the 
subsystems ieee — hee . As an example, all the 
subsystems require the electrical power subsystem to 
work. These dependency relationships are developed and 
displayed in the fault tree. 


3. Possible Military Applications 
Due to ORION’s objectives and simplistic 
desien., iRvere are several apparent military 
applications. Some of those applications include: 
a. proliferated platforms for communication. 


b. ultraviolet sensor platforms. 


c. high energy partwelle  detecrvers. 


d. targeting laser or KE (kinetic energy ) 
weapons, Geen ting vehicle simulator, Or -@iri 1 | 
assessment. 

e. low cost imaging platforms. 


C. ORGANIZATION 

This chapter provides some background to ORION and 
its possible applications. Chapter II gives a short 
background of reliability analysis. Chapter III follows 
with a description of fault tree analysis. Chapter IV 
contains the applications of a fault tree analysis to 
ORION. The final chapter, Chapter VV, states the 
conclusions, recommendations, and suggestions for 
fila eit heres eC Seca ne 


D. SUMMARY 

The primary benefit of this analysis has been to 
aid in the design of ORION. This was accomplished by 
identifying 82 minimal cut sets. Of these cut sets 22 
are single-element sets, 29 are double-element cut 
sets, 27 are three-element cut sets, 2 are five-element 
cut sets, 1 is a six-e€lement eut set Sana. ea 
eleven—-element une set. 

The dual tree reveals over 33 billion distinct 
paths. Using modular decomposition this number is 
reduced to three distinct paths. The path Sets were 
used to determine the structural importance of each 
component. 

The structural importance analysis determined seven 
different levels of significance. Iwenty components @arce 
structurally the most significant. A listing of them is 
given in Appendix C. The remaining levels’ and their 
associated components are listed in Chapter IV. 
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Mresmeliabdidaty timportance of components cannot be 
Getermined since the design is noun comp letely 
established. A Lotus spreadsheet was developed to allow 
the designers to do a "what-if" analysis with component 


Poa blilities as tie sWisystems are developed. 


itil 


II. BACKGROUND TO RELIABILITY ANALYSIS 


A salesman called on Steinway & Sons to show them a 
new piano-key pin. "My company believes this aluminum 
pin is greatly superior to the pin you have been 
USING The wo aed 

Mr. Steinway deliberated for some moments. "Well, 
young man," he said at last, “we are an old firm, slow 
and cautious about making changes. But we will install 


your pins in one of our pianos and give them a trial." 


The salesman was delighted. "That’s good enough for 
me," he said. "How long a trial will you need?" 
"Oh," said Mr. “Steinway | thouschtrwitikye "T’d say 


about 50 years." [Ref. 1] 


A. GENERAL 

Performing the mission is undoubtedly the best test 
of) reliability However, today’s decision makers and 
analysts rarely have Mr. Steinway’s luxury of time. Not 
only is time a scarce resource, but there are many 
cases when neither the system’s working or living 
environment nor the money to do Extensive ome recalicrre 
reliability tests is available. With Such concerti awie-. 
other methods must be employed to estimate 
reliabilities or limits on reliabilittes he anes 
in the sense used here and throughout the thesis, is 
the probability of a device performing its .iuncew von 
adequately for a specified length of time and operating 
conditions. Therefore, the purpose of reliability or 
system analysis is to seek out those reliabilities or 
limits on reliabilities. Within that pursuit, there are 


two important aspects to a system analysis: (1) an 


Ihe 


inductive analysis stage and (2) a deductive analysis 
Stage. 

During the inductive analysis stage, available 
information on the system is gathered and organized. 
The system is then defined, its functional purpose de- 
scribed, and its critical components determined. At 
tees Stage; the question is posed "What can happen to 
the system as a result of component failure or human 
error?" Possible system failure modes are then hypo- 
thesized. A failure modes and effects analysis is 
conducted at the component level. Specifically, a list 
of all envisioned mechanical and electrical failure 
modes is generated. This, in turn, leads to a critical 
components list including assessed failure rates. 
Additionally, it is well known that system failures 
often occur at subsystem interfaces. The interfaces, 
therefore, become an important part of the analysis 
along with the components. 

The deductive analysis of a system or reliability 
analysis answers the question "How can a system fail 
(or succeed) or be unavailable?" A logic tree (or fault 
tree) is often the best device for deducing how a major 
system failure event could OCCUr However, WG 


construction depends on a thorough understanding of the 


system and the results of the system inductive 
analysis. A block diagram or a network graph is a 
useful device for representing a successfully 


functioning system. Since the network graph is close to 
a system functional representation, it cannot capture 
abstract system failure and human error events as well 
as the logic tree representation. [Ref. 2: pp. 1-2] 
Also during the deductive stage a particular method 
of analysis must be selected and employed. Some of 
those methods include: fault tree analysis; state space 


approach; decomposition method; CLrecuLe stress 


Jee 


analysis; network reduction technique; block diagrams; 
and Monte Carlo simulation. Each has its advantages and 
disadvantages. The primary reason fault tree analysis 
was selected is that ORION is still in its design stage 
and fault tree analysis is particularly beneficial in 


developing a design. 


B. PHASED MISSIONS 

Phases of deployment affect a satemrRrte s 
reliability. A phase change occurs whenever the size of 
the set of active components changes. Another way to 
look at this is to say the functional organization of 
the system changes with time. During each phase of the 
mission the system must accomplish a specified task. 

A phased mission profile causes complexities not 
present in a single-phase system. However, it can be 
transformed into an equivalent synthetic single-phase 
system. This refined profile can then be used to derive 
an approximation of, or bounds on, mission or satellite 
reliabllity. 

It is inappropriate to do a standard reliability 
analysis for each separate phase, and then multiply the 
resulting phase reliabilities together as if they 
referred to independent events. The implicit assump- 
tion, that each component is functioning at the 
beginning of a phase when the system has functioned 
throughout the previous phase, is not necessarily true. 
[Ref. 3: pp. 11, 12] A component must have survived the 
first n-1 phases before it can function in the nth 
phase. Additionally, through the sequence” of phases, a 
component or set of components may be turned on and off 
several times during the first n-1l phases before it is 
needed during the nth phase. These are all reasons 
the phase reliabilities cannot be merely multiplied 
together to obtain an overall system reliability. A 
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simple example follows to illustrate phased mission 
analysis. 


Pompe 2.71 A system with two independent 


components, C, and Co, is designed for a two-phased 
mission. In order for» the system to perform the 
required tasks, at least one component has to function 


through phase 1 and both components have to function 
through phase 2. The block diagrams for this system is 


x 
ry eo) ae {\ af = f' A A, { fh nN \ “ ; 
! io Sede: too eo 


1 4 





phase 1 phase 2 


ror) wK=1 2, let py denote the probability that 
component C, functions through phase 1, and pyo denote 
the conditional probability that component C;, functions 
through phase 2, given that it has functioned through 
phase 1. The system reliability for phase 1 is 

Py = P41 + Pei - P11Pe1. and the system reliability for 
phase 2, given that both the components have functioned 
through phase 1, is Po = PpyjePo0. Multiplying these 
together would lead to the mission reliability 


Pp = (pi41 + Pat - P11P21)P21P22 


This is greater than the correct mission reliability, 
whieh is 


Epil e 22 
since mission success is achieved only if both compo- 


nents function through both phases. [Ref. 3: pp. 12- 
13] 
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C. MISSION PROFILES 

An additional complication “to phased emissions ic 
the absence of an exact mission profile for ORION. 
Since ORION is designed to be a low-cost general 
purpose bus for an electronics package, it can be 
employed in an infinite variety of profiles. For 
purposes of this analysis, two distinct profiles are 
analyzed. 

The first mission profile envisions a 3-axis 
stabilized sensor platform that does not experience an 
orbit change. After the satellite has been ejected from 
the canister it becomes autonomous. A short time delay 
is needed before ORION begins its mission profile. The 
time delay is necessary to insure ORION is sufficiently 
away from the Shuttle before it becomes active. This 
profile is partitioned into five phases. They are: 

- activation 

- antenna boom deployment 

- establish orientation 

- re-orientation (if necessary ) 

- station keeping 
The purpose of the activation phase is to “wake up" 
ORION and conduct internal checks to insure ORION is 
functioning. The antenna deployment phase is completed 
When the antenna booms are locked in the extended 
position. The specific mission of the orientation phase 
is to establish ORION’s spatial and orbital orienta- 
tion. The fourth phase may or may not occur. If it is 
determined that ORION is not properly oriented) then wre. 
Orientation is essential. This phase includes any 
necessary re-orientation commands. The final phase 
ensures ORION maintains the orbit(s) specified by its 
mission profile. All of ORION’s subsystems are required 
(i.e. must function) to perform station keeping tasks. 
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iiemsecona Mission profitse is for a spin stabilized 
satellite with an orbit change. Such a profile is 
Characteristic of a communications’) satellite. This 
profile has nine phases with the same four initial 
phases as the first mission profile (i.e. activation, 
antenna boom deployment, orientation and re- 
orientation). The remaining five phases are: 

- \ orbit boost 

eS GY) 710710 en Bin i. 

- orientation 

- re-orientation (if necessary ) 

- station keeping 
The purpose of the orbit boost phase is to accelerate 
ORION out of its low earth orbit. The orbit fix phase 
establishes ORION’s mission orbit. The remaining three 
Phases are identical in purpose to the final three 
phases of the first mission profile. Again, all of 
ORION’s subsystems must function to perform station 
keeping tasks. 

In both mission profiles (or in any mission profile 
generated) the last phase utilizes all of the satel- 
lite’s subsystems. Since all subsystems’ are needed 
during the last phase, the phased mission analysis 
dictates that every subsystem must survive the entire 
mission life. The resulting synthetic single-phase is 
all the subsystems operating in series during the 
entire length of the mission. 
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IfIf. FAULT TREE ANALYSIS DESCRIPTION 


A. BACKGROUND TO FAULT TREE ANALYSIS 

The bulk of this chaptereeis a Weompitatronsc: 
information extracted from reliability literature. it 
is included here only to give the reader a background 
to the fault tree reliability analyse pe: ormeqw 
this thesis. 

The fault tree method resulted from a contract 
between the Air Force Ballistics Division and Bell 
Telephone Laboratories for the study of Sean imadyvecrtcun 
launch of the Minuteman ICBM. The Launch Control Safety 
Study,.(1962) first described fanlt “tree “analysieyin 
Volume JI Section VII "Method of Inadvertent Launch 
Control Analysis." Minuteman I was in production when 
the study was completed, therefore no design changes 
resulted from the study (effecting design changes has 
become a primary advantage of fault tree analysis). 
Because the results of the analysis were so close to 
the observed data of Minuteman I, fault tree analysis 
was used during the design phase of Minuteman II. Since 
then, fault tree analysis has been used in combination 
with other techniques to spredict “and improve cae, 
performance and reliability in complex aerospace and 
military systems. 

After initial work at Bell Telephone Laboratories, 
development of the fault tree method continued attrac 
Boeing Company, where the technique was applied to 
manned spacecraft. Boeing and AVCO published fault tree 
reports on the Minuteman II system in March 1963, and 
January 1964, respectively. In June 1965, Boeing and 
the University of Washington co-sponsored a System 
Safety Symposium in Seattle. Five of the presentations 
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were fault tree articles by Boeing employees. A paper 
Veer Mearns @f Bell Telephone Laboratories also 
described fault trees. These six papers and the Launch 
Control Safety Study are the main references cited in 
articles after 1965. [Ref. 4: p. 3] 


Fault tree analysis cons#sts of six steps: 


PoeclerIiMemtne  bOD CVvent toupe investigated, 

2. gain an understanding of the systen, 

on CONnstruct Gehemtree, 

4. collect quantitative data, 

oS. evaluate the Probability of the top event, 
and 

6. analyze the results. 


The top event of the tree should be well defined in 
terms of operating modes of the system, environmental 
Conditions and time limits. However, the failure must 
represent a major system malfunction which threatens 
DercOune sOreweCWepment. 

Generally accepted symbols are necessary to 
represent differences in events and logic relationships 
since the fault tree is graphic as well as analytic. In 
addition, several people at separate locations and at 
(earereme, Cimes May contribute to the analysis. The 
following sections describe events, logic gates and 
special symbols. 

Instead of being hardware oriented, fault tree 
analwmsis is event or failure oriented; that Lomi t 
Peaumes a “particular system failure for all possible 
causes. Control of the system failure through knowledge 
iwc mcaniaces Is the wanalysis objective. The tree is a 
graphical representation of possible causes of a major 
failure which appears at the top of the tree (called 
the top event). During construction, the tree grows 
downward and outward as failures and causes are 


described in increasing detail. When the tree is 
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eomple tede probabilities are associated with the 
failures lowest on the tree. The bottom events concern 
failures of basic components which can be associated 
with probabilities. The assigned probabilities are 
combined as dicta ed by logic gates to give 
probabilities for events higher on the tree. The 
combination of probabilities continues until the 
complex top event has a probability calculated from the 
accurate component data at the bottom of the tree. In 
general, fault tree analysis involves two kinds of 
reasoning: the thought processes involved Lal 
construction produce a downward flow, whereas the 
evaluation of probability and operation of the logic 
gates dictate an upward flow. [Ref. 4: pp. 1,6,7] See 


Figure 3.1 for an example of a fault tree. 


B. PURPOSE OF FAULT TREES 

Generally, fault trees serve three purposes. 

First, they aid in determining the possible causes 
of a system failure. When properly used, the fault tree 
often leads to discovery of failure combinations which 
otherwise might not have been recognized as causes of 
the top event. 

Secondly, they serve as adisplay of results. If 


the system design is not adequate, the fault tree can 
be used to show what the weak points are and how they 
lead to undesirable CVvenus. Jae the design is 


adequate, the fault tree can be used to show that all 
conceivable causes have been considered. 

Lastly, they provide a convenient and efficient 
format helpful in the computation of the probability of 
system failure. [Ref. 5: p. 10] 
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Events 


OR 
Gate 


Bottom Events 


Figure 3.1 Example of a Fault Tree 
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C. ASSUMPTIONS 

In selecting fault” tree analy silceas es the sana. 
tool, some assumptions had to be made. Fault tree 
analysis requires eéach component. to De VerTUne ria 2o 
or no-go status. Typically, a spacecraft has functional 
states which are considered as degraded. During the 





design of ORION, subsystems were engineered for more 
than just their design envelope. An example is the 
propulsion system. More fuel than an extreme mission 
profile would require is designed into ORION. As such, 
a true degradation will exist in the working environ- 
ment (i.e. fuel is used throughout the mission and its 
tank is not always full), and the propulsion system is 
considered to either work or not work. 

oystem components are assumed to have statistically 
independent lives. No component ~ can | Wc ut cee — omen 
replaced, and each component has a finite life. [Ref. 
6: p. 10] As with the components, only two states of 
the system are recognized, fumctioninges ofr falleac. a 
assumed throughout this thesis that the state of the 
system (i.e. functioning or failed) is completely 
determined by the states of its components. 

Each component will be tested prior to installation 
and again after installation to insure the system 
functions properly. The total test time forgever, 
component will be at least 500 hours. During these 
tests the components will have an opportunity to fail 
and be replaced. If after all the tests the conponcens. 
is stiljepuncttonin=g 7 er is assumed it will face a 
constant failwre rate during its mission Witec {tie 
assumption means the exponential distribution will be 
used in determining a component’s survival probability. 

The physical structure of the satel iire swiss 
undergo stresses and strains. Throughout the analysis 
it is assumed the satellite will not be stressed 


line ene 
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outside of its design envelope. This means no component 
will experience loads greater than or equal to its 
elastic limit. Additionally, no part will experience 
fatigue failure due to cyclic mechanical or thermal 
stress loading. It is also assumed the shared stress 
Cimironment creates assoejated components. The concept 
of association will be addressed later. 

All basic events are assumed to be relevant to the 
event tree. This means each basic event appears in the 
maton of, the omin cut sets. A formaleedefinition of 


gelemant components is presented in Section J of this 
Caapter. 


D. ADVANTAGES OF FAULT TREES 

There are some distinct adwantages of fault tree 
analysis that make it particularly suited for the 
ne hia lity analysis of ORION. These advantages 
tmelude ; 

dhs the clarity of subsystem interrelation is ex- 
peessed by the tree. 

2. the fact that the tree can be quantified. 

3. enabling the analyst to focus on one particular 
macglesiregmeevent at a time. 

4. POreeconstumcting Bmeaningfiul fault trees, the 
analyst has to interact with the designers and 
operators te fillyeeund@erstand the system. The 
insight obtained during this process is of major 
benefit to system design, since weaknesses are 
spotted and corrected during this period. 

5a the @raphical representationwof the logie struc- 
ture provides a visual tool to both the engineers 
and management and is useful for justifying 
design changes and performing trade off studies. 

oy the fault tree, being in essence a top-down 
failure mode and effect analysis, lends itself to 
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better organization and control than the conven- 
tional failure mode and effect analysis. Because 
of the top-down approach, it also offers more 
flexibility in terms of termination at any hard- 
ware level as well as selectively exploring 
certain criticade faults im greater depen 

Ts the fault tree can be used to obtain minimal cut 
sets which define the modes of system failure and 
identify critical components. [Ref. 7] Minimal 


cut sets are addressed in paragraph G of this 
chapter. 


E. DISADVANTAGES OF FAULT TREES 

Though there are some general drawbacks’ to fault 
tree analysis, these shortcomings do not adversely 
affect the analysis of ORION. Fault tree analysis can 
be time consuming, expensive to produce, and include 
overwhelming detail for large or complex systems. Since 
ORION is to be a low cost, multi-purpose bus, a fault 
tree analysis is not necessarily complex or time 
consuming. Another general drawback is it requires 
considerable effort to include all types of common 
cause failures in the “fault tree." A fauhetree caine: 
readily handle priority AND gates and elements in cold 
standby. A priority AND gate restricts its inputs to a 
specified sequence. ORION has no feature requiring a 


priority AND gate and has no component in cold standby. 


F. CONSTRUCTION OF A FAULT TREE 
There are three groups of symbols commonly used to 
construct a fault tree. The”three groups’ presented here 


are the events, the logic gates and some special 
symbols. 
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igs Ewe tis 

Four Kinds of events are represented by the 
four symbols in Figure 3.2. <A circle represents a 
clearly defined failure of a basic component. In con- 
breast to tne Exactness represented by the circle is the 
uncertainty associated with a diamond event, which is a 
failure not well understood because of absence of 
inbteormMation or Significance. Circles are called primary 
events and diamonds secondary events. Collectively they 
are called bottom events. AS such, they are on the 
bottom of the tree, have reliabilities associated with 
ren , ands Tepresent the depth of resolution. Normal, 
frequently occurring events are symbolized by a house- 
shaped figure. An example is the satellite being 
eclipsed by the earth. Without sunlight the solar 
panels will not generate a voltage. Though no voltage 
is considered a failure, this condition is not the 
result of a broken panel. Finally, several events 
combined together by a logic gate form a combination 
eMmeutercpresenred by a rectangsle. Rectangles are called 
fae ee Ven os - Gate nodes correspond to intermediate 
events while the top node corresponds to a very serious 
system failure event. 

ao Logic Gates 

Many different logic gates are used to combine 
rwemtc, we uulc three — Simole ones are sufficient. These 
three (AND, OR, and INHIBIT) are illustrated in Figure 
3.3. Note that the inputs enter from below and the 
output comes from the top of the gate. The AND gate 
prodwces an output if all the inputs exist simulta- 
neously. The OR gate produces an output when at least 
Siew Otmntic ltpul  COndimetons Occur. These two gates are 
the same as ordinary usage of the words "and" and "or." 
The INHIBIT gate produces output when the input is 


present and a specified condition exists. In 
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cs Basic component failure 


Circle 
Failure undeveloped due to lack of 
information or lack of significance 
Diamond 
Normally occuring event 
probability close to one 
House 
Combination of other three events 
does not appear at lowest level 
of tree 
Rectangle 
Priority description or restriction 
placed on the gate or an 
indicator of multiple components 
Ellipse 


Figure 3.2 Events 
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AND Gate 


Priority AND Gate 


Description of priority 
or restriction on inputs 


OR Gate 


Restricted OR Gate 


Restriction on Input 
combinations producing 
output 


Figure 3.3 Logic Gates 
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words, the output is “inhibited” by (ack eoretieeetatea 
condition. The INHIBIT gate can be compared to 
FORTRAN’s logical IF statement. The FORTRAN statement 
"TF (A .EQ. B) GOTO 1030" states that if the condition 
A equals Bis’ satisfied, go to statement number 1030. 
If the condition is not satisfied, continue in normal 
sequence. 
3. Special Symbols 

Shown in Figure 3.4 are three special cymbpelk. 
representing parts of trees used to reduce redundancy. 
These comprise the last set of symbols presented for 
construction of a faulettrece 

The hexagon refers to another fault tree which 
is substituted where the symbol appears. A good use for 
this symbol would be when a particular failure needs 
further definition. The detailed tree would be headed 
with another hexagon and bear the same label as the 
hexagon in the original tree. 

To repeat another portion of the same tree wa 
pair of triangles is used. The portion of the tree 
below the triangle on the left is substituted at the 
point where the triangle appears one (hee wen 

The last special symbol (an ellipse) indicates 
identical components either in’ serlec eo sraralter a 
this case only one component is mentioned and the 
redundancy is shown by an ellipse around the input. The 
number of components is written beside the symbol. 


G. MINIMAL CUT SETS 

A listing of minimal cut sets (or min cut sets or 
MCS) is useful for design purposes by helping to 
determine the "weakest link(s)" in the system. A cut 
set is defined as any set of primary and secondary 


events whose occurrences Cause the) VOprev ch ete neccul. 
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Figure 3.4 Special Symbols 
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HEXAGON 
To repeat a 
separate tree 


TRIANGLE 
To repeat a portion 
of the same tree 


ELLIPSE 
To indicate n 
identical components 


A cut set is minimal if it Cannot’ be wr cadieede anes tie 
ensure the occurrence of the top event. 

The algorithm used to identify min cut sets is 
based on the fact that AND gates always increase the 
size of a cut set while an OR gate always increases the 
number of cut sets. 

The simplest and clearest way to explain the min 
cut set algorithm is to illustrate its operation in an 
example. The event tree for Example 3.1 is Figure 3.5. 

Example 3.1; 

The algorithm begins with the gate immediately 
below the top event. If the gate is an OR gate, each 
input is an entry in separate rows of a list matrix. 2s 
the gate is an AND gate, each input is listed in the 
first row of a list matrix. Since the gate immediately 
below the top event in Figure 3.5 is an OR gate, the 
construction of the Wist matrix béepin= with inputse 
Gi, and 2 in separate rows as follows: 


it 
G1 
2 


Since any one of the inputs can cause the top event to 
occur, each will be a member of a separate cut set. 

The idea of the algorithm is to replace each gate 
by its input gates and basic events until a list matrix 
is constructed, all of whose entries are basic events. 
The rows will then correspond to cut sets. 

Since Gl is an OR gate, Gl is replaced by its input 
events in separate rows as follows: 

3 

Likewise, G2 is nemmaeed by its inputeeventsma 

separate rows. 
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Q? 
NWWOLPHR 


Since all inputs to an AND gate must occur to cause 
the intermediate event above the AND sate, this shows 
that an AND gate increases the length of its row. AnvOR 
gate, on the other hand, increases the number of rows 
Tn Cee 1S tease ee, 

Replacing G3 (which is an AND gate) by its inputs, 
the (etset matrux Decomes: 


Replacing G4 by its inputs, the list becomes: 


Continuing until the Ist contains only primaryvyees. 


secondary events the list stops with these (rearranged ) 
Cue SEus: 


al 6,9 (es, Sao 

724 6,10 eee 8,10 
3 Oe; 1d: (otal ey 5 JUL 
~ Gn 2 CR 2s S72 
4) 613 7443 $,13 


In this example baste “events are "Noterepeart cs 
basic events are not repeated all of the cut sets are 
minimal cut sets. This Means n©® ONG Neuve cel 
contained in any other cwe “Set. Genera ti soa 
events are repeated in the tree, the aloorimrenieadcccn ae. 
determine only min cut Sets. So, when bastcwevenvceane 
repeated somewhere in the tree the list matrix must De 
searched to eliminate cut sets which contain other 
sets. The final list will then contain vent, saiirieecuw 
Se usr 
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Be erreen Maw, PATHe SETS 

The dual to acut set is a path set. Path sets are 
PGeMimemteGesthromwrh the dual event tree and consist of 
the events necessary to make the system function rather 
Pitti. lo draw She dual event tree, replace AND 
gates with OR gates and OR gates with AND gates in the 
original tree. Each event must also be replaced with a 
ee iecescraption= Failures in the original tree become 
successes in the dual (new) tree. In general, the dual 
besic  €Events are »~the Snon-occurrence of the original 
basic events. 

As in the cut sets, the focus is on the minimal 
Bathe —SE€ts. A @=path set is minimal if it cannot be 
further reduced and still insure the top event (now a 
system success). Min path sets are determined by 
applying the same min cut algorithm to the dual (new) 
ieiwee. 


I. PROBABILITY EVALUATION OF FAULT TREES 

To buiWea the mathematical structure necessary to 
derive system reliabilities the states of a component 
must first be defined. To indicate the state of the ith 
component a binamy indicator variable x; is assigned to 
component i: 

_ f if component ¢ is functioning 
O if component ¢ is not functioning 

where 1 = i1,..., n, andn is the number of components 
in the system. Additionally, a binary variable 
In@icates the functioning of the system: 


1 if the system is functioning 
QO if the system is not functioning 





o= 


Since it is assumed that the state of the components 
completely determines the state of the system the 


system state can be represented as 


b= Px) 
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where 


x= (x,, ea x). 
The function m(x) is called the structure function of 
the system. The number of components (n) in the system 


is called the order of the system. AS an example, the 
structure function of a series of n components is 


Wes, = {| oS min (x,,...,%). 


Consistent with above, (x) is 1 only if all the 
components function. 


Similarly, for a parallel arrangement of n compo- 
nents, the structure function becomes 


Wo) = [| x. spe ie (ac bean es 


or equivalently 
se rn 
[fx,=1- [] a-«). 
a) — 
This returns a value of 1 if there is at least one 
functioning component (Le. dic x = 1). Both notations are 
consistent with their respective usages in logic. 
A k-out-of-n structure functions if and only if at 


least k of the n components’ function. This structure 
function is shown by 


= 
= 
| 
Wale |e its 


o 


Fault trees with AND and OR gates create structure 
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functions which are coherent“. Then given a coherent 
structure ( > ) of order n 


This means a system’s performance is bounded below by a 


series representation and above by a parallel 
representation. [Ref. 8: pp. 6-8] 

With the jt) (j7 = 1, ... , p) min path set Py, we 
may express a structure oy (called the minimal path 
series structure) with arguments foee oe 

pix) = |] x. 
(feu 
J 


The structure oO is binary and takes on the value 1 if 
all the components in the jth Minwotuniee, Sel Mm Uncr LON. 
This expression depicts a path set as ae series 
arrangement of the path set’s elements. A system will 
function when at least one min path set functions. Tne 


structure function can then be written as 


Pp 
a = L] 90 
j= 
This means the structure function can be viewed asa 
parallel arrangement of the path sets. This is commonly 
referred to as a parallel-series arrangement. 
Similarly, with minimal cut sets, the structure K 


(called the minimal parallel cut structure) can be 


p 


1-7 


j=l 








l — p(x) 


expressed with arguments i ne Gene. ee 


K(X) = |] oe 


2A coherent structure being, roughly one whose 
performance does not deteriorate when failed Sagas 
are replaced by functioning ones [{Ref. 8: pp. 191,192]. 
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which is binary and takes on the value O when all the 
components in the y th min @@Usieseset “treader and 1 
otherwise. 

Since the system will fail if and only if at least 
one of the min cut Structures fails, the structure 
function can be viewed as a series arrangement of the 
cut sets with the elements of a cut set arranged in 


parallel. Such an arrangement can be expressed as 
k 
= K. 
d(x) u jo 
J ~— 


This is referred to as a series-parallel arrangement. 

Initially, the components are assumed to be statis- 
tically independent. If the state of the jth component 
is random (denoted as Xj) then 


PLS || ees P, = EIS | ore) =) ae 


where E[X] means the expected valuc ot ee The 
probability that i fumctions, pj;j, is referred to 2s jum. 
reliability of component i. In similar fashion, the 
reliability of thewsystemmic 


PL d(X)=1] =r = Elo(X)). 


The reliability of the k-out-of-n case with 
identical components and reliabilities becomes |[Ref. 8: 
pp. 20-21] 


j . 


fr jptt = pit 


The preceding formula holds under the assumption of 
component independence. In reality, this is not usually 
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the case. Independence will be replaced with a form of 
positive dependence. Components can become positively 
dependent in various ways. For example, if a subsystem 
has several like-components and one of them fails, the 
subsystem remains functional because the remaining 
functioning components share the load. Another way 
positive dependence is’ created is when all the 
components are subjected to the same stress environ- 
ment. The components of ORION fall in this category. If 
the reliability of a series arrangement of independent 
components is calculated, when in fact they are 
associated%?, the resultant reliability will be an 
underestimate of the true reliability. The opposite 
holds for parallel systems. [Ref. 8: pp. 29,32] 

The following min-max bounds theorem is presented 
in Reference 8, page 37, along with the theorem’s 
proof. 


Let @ be a coherent structure. Let P;, Po,..., Py 
be the component min path sets corresponding to 9 ; 
and let Kj,, Ko,..., Ky, be the component min cut sets 
corresponding to © . If components are associated, 
then the following bounds hold: 

min 
[ | Pp = es) lj} <s a ||», 
peer ea eK 
| ag $ 
Another, equivalent relationship can be expressed in 


terms of q;y = 1-p;. The above bounds now become: 


Waxy PTL LIL 
T] a. S PlyiX)= 1] 5 El) = ; 


<c<x 
ek 


J. IMPORTANCE OF BASIC EVENTS 


There are two kinds of component importance. The 


Preset «1s structure importance and the second is 

3Association is BO ticular form of positive 
dependence [Ret p. 150} which can be a reasonable 
assumption in modeling ORION 
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reliability importance. Before discussing each” on 
these, the concept and definition of relevance must be 
established. The following definition will be used. 

The ith component is irrelevant to the structure 
® | if ® is constant in yh eleega le OU ;,, 2) = (0,, x), 
W(- (1X). 4 Otherwise the ith component is relevant to 
the structure. [Ref. 8: p.4] 

The structure importance of a component focuses on 
whether or not a component changes the structure 
function from 0 tool or frong ond. In essence, the 
structural importance is concerned with only relevant 
components. If component i tis relevant, then tie 


following property holds, 


pa , x) — P(0.,x) = 1 for some ( - ae 


t 


When this condition exists (1,,x%) is calledya cyhieree 


path vector for i. Let n denote the total number of 


critical path vectors for i. This means 
nf) = > (PU, x) -— 60,, 2]. 
{x]x = 1} 


This is also the same total number of critical path 
sets for i. [Ref. 8:p. 13] 

The following is a credible measure of the 
structural importance of component i: 


1 
Ii)=— SY [60 ,x - 00, 4%). 
p n— 1 somes l l 
2 (x|x = 1) 
This depicts the proportional number of the on-1 
outcomes which have x;,;=1 in the critical path vectors 


for i. As a result, for any given ¢, the components 


4 Notation. 
(1., 2x) 


con, x) 
{ 


Il 
—-_ 
eH 
ue 
H 


Il 
a 
al 
* 


may be ordered (based on structural importance) by 
ordering LD, .., Lyla), [Ref. 8:p. 14] 

The second type of importance is the component’s 
reliability importance. This takes into account the 
component reliabilities as well as Setne © Sys tem 
structure. If components can be ranked according to 
trveiiz importance Lom de ovo Teme tems abigihiyes this 
ranking information can be helpful in determining which 


components) should have the highest priority for 


research and development. This allows managers’ to 
expend effort and money more wisely. [Ref. 8:p. 26] 
Intuitively, ike would seem a component’s 


tert abpd lity importance could be measured by observing 
the rate of change in the system’s reliability as the 
component’s esa ore Ly changes. thew reliability 
importance I,(i) of component i is given by 


ft) = El pt , x) — pO, 52) 


This definition holds even if the components) are 
associated. [Ref. 8: pp. 26-27] 
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IV. SYSTEM RELIABILITY ANALYSIS 


Using a copy of the schematics of ORION (Appendix 
A) and maintaining a constant interface with the 
designers, the ORION fault tree was developed (Appendix 
B). Once the fault tree was established the min cut 
algorithm was applied to it. This algorithm revealed 82 
minimal cut sets. Of these cut sets 22 are single 
element sets, 29 are double element cut sets, 27 are 
triple element cut "Sets ("2 are st ec lemen ete sc trae 
is a six element cut set and 1 is an eleven element cut 
set. Once these cut sets were established, the dual 
tree was constructed and the min paths determined. 
There are 33,890,503,680 distinct paths, of which the 
vast majority is due to the large number of paths 
through the solar strings. In general, the paths are 
formed by combining the following components: 
- 2 out of 3 attitude detection components 
- sun sensor 
- earth sensor 
- 1 out of 4 magnetometers 
- 1 computer 
— et Ouse of 6 bubble memory cards each with 
functional heater strips and thermistors 
- 1 shunt regulator 
- 1 OUT OT YZ *baitertles 
- 14 out of 24 solar strings 
- 4 solar connectors 
- 3 out of 4 momentum wheels 
- 1 out of 2 spin up thrusters with a functional 
solenoid 
- 1 out of 2 spin down thrusters with a functional 
solenoid 
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—eereout of 2 nutation thrusters withwa functional 
solenoid 
foreorolu Insert thruster wien 1unctLonal solenoid 
2 pyrotechnic valves 
7 tivmmancd arain valves 
2 pressurant tanks 
1 hydrazine tank with functioning heaters and 
thermistors 
- Hydrazine line intact with functional heaters and 
thermistors 
- 1 out of 2 antennas functioning and deployed 
- 1 combiner/splitter in the TT&C 
- 1 TT&C transceiver 
- i TT&C interface hardware 
eee ssurant shine dmtact 
- 1 heater control hardware 
- i bubble storage controller 
“wae cl tude=control = interface 

If the solar strings are considered as a single 
Mog wheres LUC nuInDer Of paths redtWees™ to 17,280" Similar 
modular reductions can take place when a subsystem 
consists of k out of n 1like-components. All but the 
attitude detection subsystem can be reduced to an 
equi alenamcanghes component. This reduces the final 
number of paths to three. 

The three reduced paths were used to calculate the 
structural importance of the components. The calcula- 
tions reveal seven levels of relative importance in the 
following hierarchy (1 being the most relevant): 

1. gall basic components except those listed below. 
(A detailed list is given in Appendix C); 

ae a momentum wheel ; 
a bubble memory card with functioning heaters and 
thermistors; 


ae. a solar string; 
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ae the sun sensor, the earth sensor, a ntact Lon 
spin up, and spin down thruster with their 
functioning solenoids; 
6. a battery, an antenna, a hydrazine tank heater 
and a thermistor; and 
ae a magnetometer. 
A schematic of the path sets is at Appendix C. 

The reliability importance cannot be specifically 
calculkateag)~since  ~the @aciieayl hardware for several 
subsystems has not been defined. A Lotus 1-2-3 
spreadsheet was developed so the designers can input 
component reliabilities as the subsystems are defined. 
The spreadsheet can then calculate the system’s 
reliability boundaries and components’ reliability 
importance. The data (i.e. component failure rates) for 
inclusion in the spreadsheet come from two major 
sources, JPL TR 32-1505 and MILSTD 217D. The spread- 


sheet identifies the lower boundary as the most 
reliable path and the upper boundary as the least 
reliable cut. The number of paths to compare is 


significantly reduced by using a modular approach (i.e. 
using the binomial distribution to calculate the 
reliability of ak out of n subsystem). Such a 
reduction allows the problem to be handled by a 
spreadsheet. Even in a reduced form, the model 
maintains the ability to discern an impact on the 
system reliability when changing, for example, only a 
solar string’s reliability. The spreadsheet is then 
singularly important because it can readily do this 
"what-if" analysis. 
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V. CONCLUSION 


A. OVERALL FINDINGS 
Throughout the analysis, iftaibmecamne apparent that 


Mitmrawlct tree is a "livitte”" document. Preeemus tt. ve 
maintained to reflect the existing design if it is to 
aid in the design process. The fault tree can help 


explain the cause of a failure after design is complete 
Pieomwele — System iS on station, but only if the fault 
Maacmrehlects the current design. Aiding in the design, 
and determination of a failure after system employment 
are Strong motives to maintain the fault tree. This 
thesis includes sufficient background so maintenance 
Camebe done to insure the longevity of the fault tree. 

A total of 82 cut sets were determined and the 
components’ Sir lca a) importance derived. ae 
information can be used to help focus research and 
budget efforts. 

Lastly, a spreadsheet was developed to model the 
system’s reliability boundaries as well as component 
reliability importance. 


B. RECOMMENDATIONS 
There are five recommendations based upon the fault 
tree analysis. They are: 
fee. as each subsystem is developed, conduct a 
detailed fault tree analysis of that subsystem. 
ae after aesubsystem is constructed, conduct a 
circuit stress analysis of each component and the 
subsystem. 
3. as the design may change, maintain the fault 
tree... 
4. for electrical components, use the designing 
engineer’s reliability based diagram to help 
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construct the fault tree. If a diagram is not 
available, request one be made. 

a focus research and budget attention on those 
components listed with the highest structural and 
reliability importance. 

Due to ORION’s design to be low cost and 
reconfigurable, ORION is an excellent candidate for 
constellation proliferation. A logical follow-on study 
to this one would be a study of a constellation’s 
rediabaeki ty . 
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APPENDIX A 
ORION SUBSYSTEM SCHEMATICS 


tiie sence LOSseadesenematltecs were used to develop the 
fault tree for ORION. 
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APPENDIX B 
ORION FAULT TREES 


Cie Semele tT ecemGeVehopemeis broken into smal l 


eet ronls ana ts Included in this Appendix. 
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Satellite 
Failure 


Attitude 
Control 
Failure 


Propulsion 
System TT &C 
Failure Failure 





Att /Det 
Failure 


Wheel 
Fails 


CD- 2 
Ge V6) en 


Figure B.1 Top of Fault Tree 
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Contro! 
Failure 


Contoller Computer 


Failure Failure 
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Output 
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Heater 


Control 
Failure 
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Y13 Y7, Y8, Y9 






Heater 
Control! 
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Failure 





Figure B.2 Control Fault Tree 
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Thruster 
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Failure 
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Figure B.5 Thruster Fault Tree 
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"ywey Buss 
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Jo Oqwoy 
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ounyie 
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oinpie 
Aiayyeg and 


Use 


of 


Cut sets. 


description 


Y38, 


Yi 

aS 

Y13 
Y14 
Y15 
Y42 
Y43 
Y44 
Y45 
Y46 
Y47 
Y52 
Yo4 
Y56 
Y66 
Vow 
Y74 
bras 
Y76 


oe 
YG; 
EAR 
Y2o, 
Y39 


APPENDIX C 
ORION PATH AND CUT SETS 


the min’ *cut algorithm produced G2 minima! 
Their basic component designation and 
are listed below: 


pingie Blementmeulmecrs 
Attitude control interface electronics 


Data storage controller 
Heater control hardware 
Computer 

Shunt regulator 

Propulsion interface electronics 
Hydrazine line 

Hydrazine line heater 
Hydrazine line thermistor 
Pressuranc., line 

Hydrazine tank 

and Y53 Fill and drain valve 
and Y55 Pressurant tank 

and Y57 Pyrotechnic valve 
Orb histinnster 

OT bDiteenruster Meater 

TT&C combiner splitter 

TT&C transceiver hardware 
TT&C interface hardware 


Double Element Cut Sets 
Y31 Sun sensor and earth sensor 
Y17 Both bDattermes 
Y24 Two solar array connectors 
Y37 Two momentum wheels 
Y3S qe Any pair of thrusters 
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39, 
IS | 
Woo, 
ales 
Sole) + 


Y48, 
Y49, 


Mos, 
Y68, 
Yoo; 
Y 70 
170; 


bubble memory 


the simi 


cards. 


Y40 
Yoo 
Y6O 
Y63 
Yo4 


Y50O 
Y50 


OF IL 
Y73 
Y 72 
7a 
Y73 


lar 


Y4, 
Ya, 
Y4, 


Yes 
bale 
re 


XAG ; 
Loe 
yO: 


Y40, 
Yos, 
Y6O, 
Mod. 
Yo4, 


Y48, 
Y49; 


Yo8, 
109: 
Moo, 
Y 7a; 


Y41 
Yol 
oO 1 
Y65 
Y65 


Yo 1 
ol 


ae 
real 
x7 Ss 
Y72 


Ccpimeups, spin down or 
nutation) disabled by a 
combination of the 
Uitte ters OF nl tS heater 
failing and a similar 
failure on the coupled 


thruster. 


Any combination of the 
heaters and thermistors 


CH eieanyvarazine tank. 


Any combination of an 
antenna, an antenna 
eonnector, or antenna 
dEepLovmene with “ene 
Siiiawiose vetirs Ol the 


other antenna. 


ieee heme heme mewciG De bs 
All of these cut 


Card, 


events 


YO; 
ro. 
Nola; 


i's 
XS. 
Ne lal 


os 
VS; 


Y6 
Y6 
Y6 


Y6 
Y6 
Y6 


Yo 
NG 


» Gs Uealeaae Ge) 


sets 


ar 


e any combination of a 


its heater or its thermistor with 


on any 
Veo 
Yas 2 S:; 
Y4, Y1il 
Vlogs Dic, 
7 YS) 
ales Gala 
V2 07. -Y 5 
Y10, Y8 
Yor Os ny 1 
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other two bubble memory 


eg Vos, Yi 
ey aes, Y1i2 
a9 awe, Y12 
18, Wier o, Y12 
Y9 Mies. 1 ld 
me 9 Novem Y 12 
ee Ge WaOReeyY oO,» Y12 
5 Mores. Yi 


ie renUrmeorda. Yi 


Five Element Cut Sets 


Y2; Y32, YS335e27 we The sun sensor and all 


13 i 


VIS? 


Ys, a: 


four magnetometers 


Y32 , (3s oO ese 135 The earth sensor and all 


four magnetometers 


pix Elementeouieser 
Y19 ,@Y20,°-Y21." Y22 eras One solar array 
and any five solar strings from the 
remaining 18 


Eleven Element Cut Set 
Y20, Yel; Y22, Y25 326-5 yao oo ee 


Any combination of 11 solar strings from the 24 


The 


following components were determined to have 


the highest structural importance. 


Computer 

Shunt regulator 

Solar array connectors 
Heater control hardware 
Hydrazine tank 

Hydrazine line 

HydraZzine line heater 
Hydrazine line thermistor 
Pressurant tanks 
Pressurant line 

Pill and adiealne asses 
Propulsion interface electronics 
Orbit thruster 

Orbit thruster heater 
Attitude control interface 
Data storage controller 
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—- TT&C combiner splitter 
-~ TT&C transceiver hardware 
- TT&C interface hardware 
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APPENDIX D 
LORS sok ReADonE ET LislinG 


The enclosed listing of a Lotus 1-2-3 spreadsheet 


was converted to a MathPlan 3.0 format for inclusion in 


this Appendix. It contains the elements necessary to do 


a "what-if" analysis. As the subsystems are designed 


and constructed, their reliabilities can be 
the spreadsheet to 


placed in 


observe the subsystem’s impact on 
Ete sSysuem-s reliability . 
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ioununt udu ewadud tout dt tb ob det ben a a a aa a a a a aa 


(1-[16])/ 
[D29]*[ D3 
AC3*[AB1] 
i noes 

[131] 

[13 
1 -( 


[16] 
0 |* | Bane 


i 
Cl | NGZie Cl -A 2 ee enipe, 
L138 ] 


(1-x[2 


[131] 
Diets: | 


[139] 
1=((1=(AG3I 1 a) ae) 
[Is] 
[19] 


Lio 
1-((1-[04])*(1-[Q4])) 
V5*[V3] 

W5+U4*V4 

X[5]*x[3] 

Y5+[U]4*xX4 

AC5*[AB1 ] 
AD5+(AB4*AC4 ) 

bce | 

[139 ] 

[139] 
1-((1-[LAG4])*(1-[AI4])*(1-[AK4]) ) 
Lib 

[116] 

lee] 

1-((1-[05])*(1-[Q5])) 

Vo*[V3] 

W6+U5*V5 

» ORS IE. i S| 

Yo+(U]5*X5 

AC6*[AB1 ] 

AD6+(AB5*ACS5 ) 

iis 14) 

[ 02a] 

[139 ] 
1-((1-[AG5])*(1-[AI5])*(1-[AK5])) 
EXP(-[C]6*26280 ) 

EXP(-[H]6*26280) 
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tity 
eer Oo | )(1—[061))) 
[19]*T6 


AC7*[{AB1] 
AD7+(AB6*ACO) 

fire] 

[138 ] 

[138 ] 
1-((1-[AG6])*(1-[AI6])*(1-[AK6]) ) 
EXP(-[C]7*26280) 
EXP(-[H]7*26280) 

[D6] 

[9] 

[D9] 
1-((1-[07])*(1-[0Q7])) 
ACS8*[AB1] 
AD8+(AB7*AC7 ) 

[131 ] 

Milena 

[138] 
1-((1-[AG7])*(1-[AI7])*(1-[AK7])) 
EXP(-[H]8*26280) 
[D138] 

[D9] 

[D13] 
1-((1-[08])*(1-[98])) 
AC9*[AB1 ] 
AD9+(ABS8*AC8) 

[139 ] 

[139] 

[139 ] 
1-((1-[AG8])*(1-[AI8])*(1-[AK8]) ) 
EXP(-C9*26280 ) 
EXP(-[H]9*26280) 


eee 297")) 
ee) i r2o) 
ill 


AC10*([AB1 ] 
AD10+(AB9*ACQ ) 
[138] 

[138] 


wi 


AK9 = [138] 

AL9 = 1-((1-[AG9])*(1-[AI9])*(1-[AK9])) 
D10 = EXP(-[C]10*26280 ) 

L10 = [D34] 

010 = [138] 

Q10 = [139] 

R10 = 1-((1-[010])*(1-[Q10])) 
V10 = V11*V[9] 

W10 = W11+(V10*[U]10) 

X10 = X11*x[9] 

Y10 = Y11+(X10*[U]10) 

Z10 = 711+(Y18*[U]10) 

AC10 = AC11*[AB1 ] 

AD10 = AD11+(AB10*AC10) 

AG10 = [138] 

AI10 = [139] 

AK1i0 = [139] 

AL10 = 1-((1-[AG10])*(1-[AI10])*(1-[AK10] ) ) 
abs = EXP(-[C]11*26280) 

Lal =) Due]. | 

O11 = [D1i3] 

Ot. = [D13] 

Ril = 1-((1-[011])*(1-[Q11])) 
Viele = V12*v[9] 

W11 = W12+(V11*[U]J11) 

X11 = X12*x[9] 

Yil = Y12+(X11*[U]1i1) 

Z11 = 712+(Y19*[U]11) 

EMAL = AC12*[AB1 ] 

AD1il = AD12+(AB11*AC11 ) 

AG1i1 = [138] 

Aldi = [138] 

AK11 = [139] 

AL11 = 1-((1-[AG11])*(1-[AI11])*(1-[AK11])) 
Fale} = [139] 

012 = [D300] 

O12 = [D31] 

R12 = 1-((1-[012])*(1-[Q12])) 
V2 = V13*V[9] 

W12 = W13+(V12*[U]12) 

X12 = X13*xX[9] 

WL = Y13+(X12*[{Uj12) 

FANE = Z713+(Y20*[(U]12) 

ACL? = AC13*[AB1 ] 

AD12 = AD13+(AB12*AC12 ) 

D13 = EXP(-[C]13*26280 ) 

L13 = [140] 

013 = [D29] 

Q13 = [D311] 


UY 


R13 
V13 
W13 
X13 
Y13 
ZS 
AC13 
AD13 
D1i4 
L14 
014 
Q14 
R14 
V14 
W14 
X14 
Y14 
Z14 
AC14 
AD14 
D15 
L15 
015 
Q15 
R15 
AC15 
AD15 
AG15 
AI15 
AL15 
I16 
Elko 
016 
Q16 
R16 
V16 
X16 
AC16 
AD16 
AG16 
AI16 
AL16 
Day 7 
I17 
Tale, 
Val7 
W17 
‘17 
eG. 7 


iuntuedt vend uunuudoeeouud t tb dtoob bb bed te bd at a a a ae a 


fe 1013 ])*(1—[ols])) 
V14*VvV[ 9] 
W14+(V13*[U]13) 
X14*x[9] 
Y14+(X13*[U]13) 
Z14+(Y21*[U]13) 
AC14*[AB1 | 
AD14+(AB13*AC13 ) 
EXP(-[C]14*26280 ) 

[119] 

[D30] 

[D30 ] 
1-((1-[014])*(1-[Q14])) 
[120]*4 

V14*U14 

[118]*4 

[118]~4 

ley | 4 

AC15*[AB1 | 
AD15+(AB14*AC14) 
EXP(-[C]15*26280 ) 

ie 1 | 

[D29] 

[D30 ] 

eel ieOnio (1 —[.Qik5 ])) } 
AC16*[AB1 ] 
AD16+(AB15*AC15 ) 

[116] 

MOOK CClerel=nsiSiet).LY10)]:( 114] ) 
1-((1-[AG15])*(1-[AI15])) 
EXP(-[H]16*26280 ) 


[125 

[p29] 

Pp29) | 

Geel Olo dl) * (l= @16 | ) ) 
(1-[X16])/[X16] 
[138]*[139]*[131] 
AC17*[AB1] 
AD17+(AB16*AC16) 

[117 | 


LOOKUP(([G18]-[J18]+1),[{Y10]:[T14 ] ) 
1-((1-[AI16])*(1-[AG16 ] ) ) 
EXP(-[C]17*26280 ) 

EXP(-[H]17*26280 ) 

[D1i9 ] 

V18*V[16] 

W18+(U17*V17 ) 

(1=[L17])/L171] 

AC18*[AB1 | 
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AD18+(AB17*AC17 ) 
EXP(-[C ]18*26280 ) 
EXP(-[H]18*26280 ) 
[ D23 ] 

V19*V[16 ] 
W19+(U18*V18 ) 
Y1L9* V7 | 
AC19*[AB1] 
AD19+(AB18*AC18 ) 
EXP(-[C]19*26280 ) 
EXP(-[H]19*26280 ) 
[D32] 

V20*V[16] 
W20+(U19*V19 ) 
YZ ey 17 | 
AC20*[ AB1 | 
AD20+(AB19*AC19 ) 
EXP(-[C ]20*26280 ) 
EXP(-[H]20*26280 ) 
[ D20 ] 

V21*vV[16] 
W21+(U20*V20 ) 
Yo 7 | 
AC21*[AB1] 
AD21+(AB20*AC20O ) 
LOOKUP( [J6],.AASS3 | LADS 
LOOKUP( [27 J, 2101.02140)) 
1-((1-[LAI20])*(1-[AG20])) 
[ B84 | 
MINC[ L361] hero) 
EXP(-[C]21*26280 ) 
v22*v[16 ] 
W22+(U21*V21 ) 
Y22*Y[17 ] 
AC22*[ AB1 | 
AD22+(AB21*AC21 ) 
LOOKUP([J6],[AA2]:[AD26] ) 
[AG21 ] 

[ A55 ] 

EXP(-[C ]22*26280 ) 
V23*vV[16] 
W23+(U22*V22 ) 
Live 

AC23*[ AB1 ] 
AD23+(AB22*AC22 ) 
[c55 ] 

[K30 ] 

EXP(-[C ]23*26280 ) 
[X16]*6 
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| | | | | OC | ||| | || | | | | | | | | 


V23 

AC24*[AB1] 
AD24+(AB23*AC23 ) 
AC25*[AB1] 
AD25+(AB24*AC24 ) 
EXP(-[H]25*26280) 
AC26*[AB1] 
AD26+(AB25*AC25 ) 
[p9]*[{D13] 
Poa ei bi4 | 
D11*D15 

[I6]*24 
AB26*AC26 
(1-V26)/V26 
(1-X26)/X26 
(1-Z26)/Z26 
V29*V[ 27 | 
W29+(U28*V28 ) 
X29*x[27] 
Y¥29+([U28]*X28) 
Z29*Z[ 27] 
AA29+([U28]*Z28) 
EXP(-[C]29*26280) 
V30*V[ 27] 
W30+(U29*V29 ) 

Ke One | 
Y30+([U29]*x29 ) 
70" 7227 | 
AA30+([U29]*Z29) 
EXP(-[C]30*26280) 
[18] 


Z30 
EXP(-[H]31*26280) 
[138] 
EXP(-[C]32*26280) 
EXP(-[H]32*26280) 
[D7] 
EXP(-[C]33*26280) 
[132 ] 

AC34*[AB1] 
EXP(-[C]34*26280) 
[D6] 

AC35*[AB1] 
AD35+(AB34*AC34 ) 


1 


#ouud?tihtuenpnbeudueouud oat bod db bee aa a a aa a a a a 


[D18 ] 

AC36*[AB1] 
AD36+(AB35*AC35 ) 
Bne2y 

AC37*[AB1 ] 
AD37+(AB36*AC36 ) 
[D34 ] 

AC38*[AB1 ] 
AD38+(AB37*AC37 ) 
EXP(-[H]38*26280 ) 
[D17 ] 

AC39*[AB1 ] 
AD39+(AB38*AC38) 
EXP(-[H]39*26280 ) 
1-((1-[AG15])*(1-[Arm15 ie 
AC40*[AB1 ] 
AD40+(AB39*AC39) 
EXP(-[H]40*26280 ) 
[139 ] 

AC41*[AB1 ] 
AD41+(AB40*AC40) 
[140] 

AC42*[AB1 ] 
AD42+(AB41*AC41) 
[119 ] 

AC43*[AB1] 
AD43+(AB42*AC42 ) 
1-((1-[Al16] )*(1_-[ xenon 
AC44*[AB1] 
AD44+(AB43*AC43) 
[D21 | 

AC45*[AB1] 
AD45+(AB44*AC44 ) 
[I16] 

1-((1-[05] )*(1-[05])} 
AC46*[AB1 ] 
AD46+(AB45*AC45 ) 
LOOKUP([J18]1,[T10 )@fy14 |) 
[125] 

AC47*[AB1] 
AD47+(AB46*AC46 ) 
[B45 ]*[ B46 | 

[p19] 

AC48*[AB1 ] 
AD48+(AB47*AC47 ) 
[ieee 
1-((1-[03])*(1-[Q3])) 
AC49*[AB1 ] 
AD49+(AB48*AC48 ) 
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B49 
L49 
AC49 
AD49 
C50 
[ee 
AC50 
AD50 
Bol 
Pou 
ACod 
jeweler Al 
Bog 
ae 
C53 
P53 
L54 
B55 
D55 
G55 
oo 
B56 
D56 
G56 
L56 
18187 
IBS) 
Low 
B58 
L58 
B59 
Log 
B60 
L60 
Bol 
od 
B62 
ee 
B63 
L63 
B64 
Lo4 
B65 
oS 
B66 
L66 
BiG 7 
ie? 
B68 


LOOKUP([J18],[T10]:[Y14]) 
[p23] 

AC50*[AB1] 
AD50+(AB49*AC49Q) 

[B48 ]*[B49] 

Lee) 

AC51*[AB1] 
AD51+(AB50*AC50 ) 


[rey 

Pager O07 | Cr -07 1) ) 
[I6]*18 

AB51*AC51 

[117] 

Pe ee O sal i) 24] )) 
Pepe B52 | 


[D20] 
1-((1-[08])*(1-[Q8])) 

fies siete 

[B51 ]*[ B52] 

[ G81 ]*[ G82 ] 

[AG21 ] 

[en (-D'7 |] 

[B45 ]*[ B46 ] 

[G76 ]*[G77] 
1-((1-[09])*(1-[Q9])) 
(139]7*12 

[B48]*[ B49] 
1-((1-[011])*(1-[Q11])) 
[18] 
1-((1-[010])*(1-[Q10])) 
LOOKUP([E10],[T28]:[AA30]) 
101 (O12) )*(1—(012])) 
MAXCGNC4 7 2 C53] ) 
1-((1-[AG9])*(1-[LAI9])*(1-[AK9])) 
LOOKUP([E1i1],[T28]:[AA30] ) 
1-((1-[06])*(1-[Q6])) 

[ues 
1-((1-[014])*(1-[Q14])) 
[p18 

1 = (eee Oe = |AG20 |] ) ) 
[D3 


3 
1-(( 1-013] )*(1-[613])) 
[p34 


eer eA Gale ee Aid. | ye( 1=[ AK11.] )) 

[ital vat 

P=((1-[ 015] )*(1-[015])) 

X((LG78],[G83]) 
(1-[AG1i0])*(1-[AI10])*(1-[AK10])) 


1-( 
1- 
LOOKUP([J20],[T10]:[W14]) 


oy 


L68 
B69 
L69 
B70 
L70 
Bvt 
ee 
Bie 
lee 
B73 
L73 
B74 
L74 
B79 
15 
B76 
G76 
Bye 
G77 
B78 
G78 
Bie 
B80 
B81 
G81 
G82 
G83 
B84 


AG6] )*(1-[AI6] ) “(C1 Paola 


-[016])*(1-[Q16])) 


-[AG7])*(1-[AI7])*(1-[AK7])) 
P({E9],(T28]:[AA30 ] ) 
-~[AG5])*(1-[AI5])*(1-[AK5])) 


eS MmrR CIR re rele lO Rel eR eR 
Sl © vee) See 
m~ COM OMm Nm NMR Mm PmeRo 


-~[AG2])*(1-[AI2])*(1-[AK2]) ) 

[D23] 

Lege ns [AA2]:[AD26]) 

[p22]* 

re 

LOOKUP(({J9],[T4]:[W6]) 

[G76 ]* G77 ] 

[p20]*2 

LOOKUP([J31],[T17]:[W23]) 
LOOKUP([E29],[T4]:[Y6]) 
LOOKUP([J6],[AA33]:[AD51]) 
LOOKURC ia homer cuca 

[G81 ]*[ G82 ] 
B55*B56*B57*B58*B59*B60*B61*B62*B63*B64 *B65* 
BO6*B67*B68*B69*B70*B71*B72*B73*B74*B75*B76* 
B77*B78*B79*BS0*B81 
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